Resolver: fixed off-by-one read in ngx_resolver_copy().
It is believed to be harmless, and in the worst case it uses some
uninitialized memory as a part of the compression pointer length,
eventually leading to the "name is out of DNS response" error.
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index 63b2619..9b13172 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -3958,6 +3958,11 @@
}
if (n & 0xc0) {
+ if (p >= last) {
+ err = "name is out of DNS response";
+ goto invalid;
+ }
+
n = ((n & 0x3f) << 8) + *p;
p = &buf[n];